本參考主題適用於 IT 專業人員包含支援的登錄設定 Windows 實作傳輸層級的安全性 (TLS) 通訊協定和資訊的安全通訊端層 (SSL) 通訊協定透過 Schannel 安全性支援提供者 (SSP)。This reference topic for the IT professional contains supported registry setting information for the Windows implementation of the Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol through the Schannel Security Support Provider (SSP).此主題協助您管理和疑難排解 Schannel SSP，所涵蓋的項目與登錄子專門 TLS 和 SSL 通訊協定。The registry subkeys and entries covered in this topic help you administer and troubleshoot the Schannel SSP, specifically the TLS and SSL protocols.

警告

為您進行疑難排解或驗證需要的設定的套用時使用的參考提供這項資訊。This information is provided as a reference to use when you are troubleshooting or verifying that the required settings are applied.我們建議您執行不直接編輯登錄除非另有任何其他另一種方式。We recommend that you do not directly edit the registry unless there is no other alternative.變更登錄無法驗證它們套用之前的作業系統，或 Windows 作業系統。Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied.如此一來，不正確的值可以儲存，並將導致處於無法復原錯誤系統中。As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system.可能的話，而不是直接，編輯登錄使用群組原則」或其他 Windows 工具例如 Microsoft 管理 Console (MMC) 完成工作。When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks.如果您必須編輯登錄，小心謹慎。If you must edit the registry, use extreme caution.

CertificateMappingMethodsCertificateMappingMethods

此項目不存在於登錄預設。This entry does not exist in the registry by default.預設值是所有的四個憑證對應方法列在下方的支援。The default value is that all four certificate mapping methods, listed below, are supported.

伺服器應用程式需要 client 驗證時, Schannel 會自動嘗試憑證帳號 client 電腦所提供的地圖。When a server application requires client authentication, Schannel automatically attempts to map the certificate that is supplied by the client computer to a user account.您可以進行驗證使用者建立對應的相關資訊的 Windows 使用者帳號，憑證登入以 client 憑證。You can authenticate users who sign in with a client certificate by creating mappings, which relate the certificate information to a Windows user account.您建立以及憑證對應之後，client 提出 client 憑證，每次您的伺服器應用程式會自動關聯使用者適當的 Windows 使用者 account。After you create and enable a certificate mapping, each time a client presents a client certificate, your server application automatically associates that user with the appropriate Windows user account.

在大部分案例中，憑證對應至帳號，在其中一種方式：In most cases, a certificate is mapped to a user account in one of two ways:

單一憑證對應至單一使用者 account（一一對應）。A single certificate is mapped to a single user account (one-to-one mapping).

ClientCacheTimeClientCacheTime

此項目控制量作業系統所需時間（毫秒）到期 client 端快取的項目。This entry controls the amount of time that the operating system takes in milliseconds to expire client-side cache entries.設定為 0 關閉安全連接快取。A value of 0 turns off secure-connection caching.此項目不存在於登錄預設。This entry does not exist in the registry by default.

第一次 client 連接到透過 Schannel SSP，完整伺服器 TLS 日 SSL 交換執行。The first time a client connects to a server through the Schannel SSP, a full TLS/SSL handshake is performed.當您完成時，主要密碼、密碼套件及憑證儲存各自 client 伺服器上的快取工作階段中。When this is complete, the master secret, cipher suite, and certificates are stored in the session cache on the respective client and server.

HashesHashes

IssuerCacheSizeIssuerCacheSize

此項目控制發行者快取的大小，並可搭配發行者對應。This entry controls the size of the issuer cache, and it is used with issuer mapping.地圖中 client 的憑證鏈結發行者的所有嘗試 Schannel SSP-不僅直接 client 憑證的發行者。The Schannel SSP attempts to map all of the issuers in the client’s certificate chain—not only the direct issuer of the client certificate.伺服器時不會發行者對應到帳號，一般，則可能會嘗試地圖相同發行者名稱重複數百種秒的時間。When the issuers do not map to an account, which is the typical case, the server might attempt to map the same issuer name repeatedly, hundreds of times per second.

若要避免這個問題，伺服器有錯誤的快取，讓快取項如果過去未對應發行者的名稱，新增到快取，並 Schannel SSP 地圖的發行者名稱，再試一次之前不會到期。To prevent this, the server has a negative cache, so if an issuer name does not map to an account, it is added to the cache and the Schannel SSP will not attempt to map the issuer name again until the cache entry expires.這個登錄指定的快取的大小。This registry entry specifies the cache size.此項目不存在於登錄預設。This entry does not exist in the registry by default.預設值為 100。The default value is 100.

適用版本：中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

IssuerCacheTimeIssuerCacheTime

此項目控制的快取逾時間隔（毫秒）。This entry controls the length of the cache timeout interval in milliseconds.地圖中 client 的憑證鏈結發行者的所有嘗試 Schannel SSP-不僅直接 client 憑證的發行者。The Schannel SSP attempts to map all of the issuers in the client’s certificate chain—not only the direct issuer of the client certificate.在何處發行者不會對應帳號，是常見原因，如此伺服器可能會嘗試地圖相同發行者名稱重複數百種秒的時間。In the case where the issuers do not map to an account, which is the typical case, the server might attempt to map the same issuer name repeatedly, hundreds of times per second.

若要避免這個問題，伺服器有錯誤的快取，讓快取項如果過去未對應發行者的名稱，新增到快取，並 Schannel SSP 地圖的發行者名稱，再試一次之前不會到期。To prevent this, the server has a negative cache, so if an issuer name does not map to an account, it is added to the cache and the Schannel SSP will not attempt to map the issuer name again until the cache entry expires.此快取保留的效能，以便系統不會繼續嘗試地圖相同發行者。This cache is kept for performance reasons, so that the system does not continue trying to map the same issuers.此項目不存在於登錄預設。This entry does not exist in the registry by default.預設值為 10 分鐘。The default value is 10 minutes.

適用版本：中指定為適用於清單中開頭本主題。Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

若要指定 TLS client 最低支援各種不同的 RSA 按鍵的位元長度，建立ClientMinKeyBitLength的項目。To specify a minimum supported range of RSA key bit length for the TLS client, create a ClientMinKeyBitLength entry.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，1024 位元將最小值。If not configured, 1024 bits will be the minimum.

若要指定 TLS client 最大支援各種不同的 RSA 按鍵的位元長度，建立ClientMaxKeyBitLength的項目。To specify a maximum supported range of RSA key bit length for the TLS client, create a ClientMaxKeyBitLength entry.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，然後不執行最大值。If not configured, then a maximum is not enforced.

若要指定 TLS client 最低支援各種不同的時間-Helman 按鍵的位元長度，建立ClientMinKeyBitLength的項目。To specify a minimum supported range of Diffie-Helman key bit length for the TLS client, create a ClientMinKeyBitLength entry.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，1024 位元將最小值。If not configured, 1024 bits will be the minimum.

若要指定 TLS client 的最大支援各種不同的時間-Helman 金鑰元長度，建立ClientMaxKeyBitLength的項目。To specify a maximum supported range of Diffie-Helman key bit length for the TLS client, create a ClientMaxKeyBitLength entry.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，然後不執行最大值。If not configured, then a maximum is not enforced.

若要指定時間-Helman 金鑰元長度 TLS 伺服器的預設值，建立ServerMinKeyBitLength的項目。To specify the Diffie-Helman key bit length for the TLS server default, create a ServerMinKeyBitLength entry.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，2048 位元將會預設值。If not configured, 2048 bits will be the default.

訊息中心 – 片段剖析Messaging – fragment parsing

此項目控制將接受分散 TLS 交換簡訊的大小上限。This entry controls the maximum allowed size of fragmented TLS handshake messages that will be accepted.將不會接受大於允許的大小，並 TLS 交換將會失敗。Messages larger than the allowed size will not be accepted and the TLS handshake will fail.這些項目不存在於登錄預設。These entries do not exist in the registry by default.

將值設定為 [0x0，分散的郵件不會處理，會導致 TLS 交換失敗。When you set the value to 0x0, fragmented messages are not processed and will cause the TLS handshake to fail.這樣可 TLS 戶端或伺服器上目前的電腦不相容的 TLS Rfc。This makes TLS clients or servers on the current machine non-compliant with the TLS RFCs.

允許的最大大小可以增加最多 2 ^24-1 位元組。The maximum allowed size can be increased up to 2^24-1 bytes.Client 或伺服器朗讀大量的驗證資料與網路，並允許，最好立刻並不會消耗額外的記憶體的每個安全性操作。Allowing a client or server to read and store large amounts of unverified data from the network is not a good idea and will consume additional memory for each security context.

若要指定 TLS client 將接受分散 TLS 交換簡訊的大小上限，請建立MessageLimitClient的項目。To specify a maximum allowed size of fragmented TLS handshake messages that the TLS client will accept, create a MessageLimitClient entry.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，預設值會 0x8000 位元組。If not configured, the default value will be 0x8000 bytes.

若要指定 TLS 伺服器不 client 驗證時，將接受分散 TLS 交換簡訊的大小上限，請建立MessageLimitServer的項目。To specify a maximum allowed size of fragmented TLS handshake messages that the TLS server will accept when there is no client authentication, create a MessageLimitServer entry.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，預設值會 0x4000 位元組。If not configured, the default value will be 0x4000 bytes.

若要指定 TLS 伺服器 client 驗證時，將接受分散 TLS 交換簡訊的大小上限，請建立MessageLimitServerClientAuth的項目。To specify a maximum allowed size of fragmented TLS handshake messages that the TLS server will accept when there is client authentication, create a MessageLimitServerClientAuth entry.您所建立的項目之後，您想要的位元長度變更 DWORD 值。After you have created the entry, change the DWORD value to the desired bit length.如果未設定，預設值會 0x8000 位元組。If not configured, the default value will be 0x8000 bytes.

SendTrustedIssuerListSendTrustedIssuerList

此項目控制旗標信任的發行者清單會在傳送時使用。This entry controls the flag that is used when the list of trusted issuers is sent.在信任的憑證授權單位 client 驗證數百種的伺服器，有太多發行者伺服器，才能將它們傳送所有到 client 電腦要求 client 驗證時。In the case of servers that trust hundreds of certification authorities for client authentication, there are too many issuers for the server to be able to send them all to the client computer when requesting client authentication.在這種情形時，可以設定此登錄金鑰，請而不傳送部分清單，Schannel SSP 將不會傳送任何清單 client。In this situation, this registry key can be set, and instead of sending a partial list, the Schannel SSP will not send any list to the client.

未傳送一份信任的發行者可能會影響項目 client 傳送要求 client 憑證。Not sending a list of trusted issuers might impact what the client sends when it is asked for a client certificate.例如，當 Internet Explorer 收到的驗證 client 要求時，它只會顯示 client 的憑證鏈結其中一個最多的伺服器來傳送的憑證授權單位。For example, when Internet Explorer receives a request for client authentication, it only displays the client certificates that chain up to one of the certification authorities that is sent by the server.如果伺服器並未傳送清單，Internet Explorer 會顯示的所有 client 憑證 client 上所安裝的。If the server did not send a list, Internet Explorer displays all of the client certificates that are installed on the client.

可能需要此行為。This behavior might be desirable.例如時 PKI 環境包含跨憑證，, client 和伺服器的憑證並不會相同 ca;因此，Internet Explorer 無法選擇將最多的其中一個 Ca 伺服器的憑證。For example, when PKI environments include cross certificates, the client and server certificates will not have the same root CA; therefore, Internet Explorer cannot chose a certificate that chains up to one of the server’s CAs.藉由設定不會傳送給受信任的發行者清單伺服器，Internet Explorer 將會傳送所有的憑證。By configuring the server to not send a trusted issuer list, Internet Explorer will send all its certificates.

若要讓 SSL 2.0 通訊協定，建立啟用中適當子項目。To enable the SSL 2.0 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目後，變更 1 DWORD 值。After you have created the entry, change the DWORD value to 1.若要停用通訊協定，0 變更 DWORD 值。To disable the protocol, change the DWORD value to 0.

SSL 2.0 子表格SSL 2.0 subkey table

子Subkey

描述Description

ClientClient

控制 SSL 2.0 SSL client 上的使用。Controls the use of SSL 2.0 on the SSL client.

若要讓 SSL 3.0 通訊協定，建立 Enabled 項目中適當子。To enable the SSL 3.0 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目後，變更 1 DWORD 值。After you have created the entry, change the DWORD value to 1.若要停用通訊協定，0 變更 DWORD 值。To disable the protocol, change the DWORD value to 0.

SSL 3.0 子表格SSL 3.0 subkey table

子Subkey

描述Description

ClientClient

控制 SSL 3.0 SSL client 上的使用。Controls the use of SSL 3.0 on the SSL client.

若要停用 TLS 1.0 通訊協定，建立啟用中適當子項目。To disable the TLS 1.0 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0.若要讓通訊協定，變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

TLS 1.0 子表格TLS 1.0 subkey table

子Subkey

描述Description

ClientClient

控制 TLS 1.0 TLS client 上的使用。Controls the use of TLS 1.0 on the TLS client.

伺服器Server

控制 TLS 1.0 使用 TLS 伺服器上。Controls the use of TLS 1.0 on the TLS server.

DisabledByDefaultDisabledByDefault

停用 TLS 1.0 旗標。Flag to disable TLS 1.0 by default.

TLS 1.1TLS 1.1

您必須建立 TLS 1.1 支援和交涉伺服器執行 Windows Server 2008 R2 上的DisabledByDefault適當子（Client，伺服器）中的項目並將它設為「0」。For TLS 1.1 to be enabled and negotiated on servers that run Windows Server 2008 R2, you MUST create the DisabledByDefault entry in the appropriate subkey (Client, Server) and set it to "0".登錄中看不到的項目，它會預設為 [1]。The entry will not be seen in the registry and it is set to "1" by default.

若要停用 TLS 1.1 通訊協定，建立啟用中適當子項目。To disable the TLS 1.1 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0.若要讓通訊協定，變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

TLS 1.1 子表格TLS 1.1 subkey table

子Subkey

描述Description

ClientClient

控制 TLS 1.1 TLS client 上的使用。Controls the use of TLS 1.1 on the TLS client.

伺服器Server

控制 TLS 1.1 使用 TLS 伺服器上。Controls the use of TLS 1.1 on the TLS server.

DisabledByDefaultDisabledByDefault

停用 TLS 1.1 旗標。Flag to disable TLS 1.1 by default.

TLS 1.2TLS 1.2

您必須建立 TLS 1.2 支援和交涉伺服器執行 Windows Server 2008 R2 上的DisabledByDefault（Client，伺服器）適當子中的項目並將它設為「0」。For TLS 1.2 to be enabled and negotiated on servers that run Windows Server 2008 R2, you MUST create the DisabledByDefault entry in the appropriate subkey (Client, Server) and set it to "0".登錄中看不到的項目，它會預設為 [1]。The entry will not be seen in the registry and it is set to "1" by default.

若要停用 TLS 1.2 通訊協定，建立啟用中適當子項目。To disable the TLS 1.2 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0.若要讓通訊協定，變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

TLS 1.2 子表格TLS 1.2 subkey table

子Subkey

描述Description

ClientClient

控制 TLS 1.2 TLS client 上的使用。Controls the use of TLS 1.2 on the TLS client.

若要停用 DTLS 1.0 通訊協定，建立啟用中適當子項目。To disable the DTLS 1.0 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0.若要讓通訊協定，變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

DTLS 1.0 子表格DTLS 1.0 subkey table

子Subkey

描述Description

ClientClient

控制 DTLS 1.0 DTLS client 上的使用。Controls the use of DTLS 1.0 on the DTLS client.

伺服器Server

控制 DTLS 1.0 DTLS 伺服器上的使用。Controls the use of DTLS 1.0 on the DTLS server.

若要停用 DTLS 1.2 通訊協定，建立啟用中適當子項目。To disable the DTLS 1.2 protocol, create an Enabled entry in the appropriate subkey.此項目不存在於登錄預設。This entry does not exist in the registry by default.您所建立的項目之後，0 變更 DWORD 值。After you have created the entry, change the DWORD value to 0.若要讓通訊協定，變更 1 DWORD 值。To enable the protocol, change the DWORD value to 1.

DTLS 1.2 子表格DTLS 1.2 subkey table

子Subkey

描述Description

ClientClient

控制 DTLS 1.2 DTLS client 上的使用。Controls the use of DTLS 1.2 on the DTLS client.

伺服器Server

控制 DTLS 1.2 DTLS 伺服器上的使用。Controls the use of DTLS 1.2 on the DTLS server.